An award-winning security, risk and resilience professional looking to learn, grow and share with anyone who will listen...

Wednesday, 22 October 2014

ISO 22301 Certification – Challenging to Attain, harder to Maintain?

During my very first Stage 1Audit for ISO 22301 I was naturally very curious. I was spouting out all sorts of thoughts and questions (no doubt much to the annoyance of my Manager and the attending Auditor at the time but I think it’s important to ask those questions when learning). One thing I have remembered from that experience was being told:

“Achieving the initial ISO 22301 certification is probably the easiest part. Everything is new, employees tend to be enthusiastic and management often seem to have it at the top of their list. It’s the repeat visits (AKA Surveillance or Continuous Assessment Visits) or the Extension to Scope Assessments that present the real challenge. Employees can lose interest, other competing demands take over in the boardroom and documents can sometimes get mothballed”

In hindsight the Auditor wasn’t wrong. As soon as that organisation first achieved certification it was quickly celebrated but then the profile simply lost some of its “fizz”. Other challenges or new exciting initiatives took over and while the BCMS continued to tick over things definitely appeared to slow down but then came the return visit…

As you can imagine with these kinds of things, there was a last minute flurry of activity to update plans, roll out awareness campaigns, and brief all managers to within an inch of their life about the possible questions they might receive!

I do remember feeling differently at the time of this visit. My initial foray into ISO 22301certifcation (from scratch) was a steep and rapid learning curve and if I’m being honest I experienced some fatigue and made many mistakes but thankfully we still passed. Since that particular experience, I’ve had some time to live and breathe various systems and since enjoyed the luxury of hindsight. For me, this particular surveillance visit presented me with some new thoughts that I’d like to share with those who’d wish to know.

An Auditor Never Forgets…

It is with the best will and intention that during Stages 1 and 2 you are likely to present a picture to the Auditor of the future BCMS as part of your efforts to continuously improve. For example you might say “well at the moment we capture BC risk in a very basic way but by next year we will have this new management software”…etc. The Auditor, from my experience, will give you the benefit of the doubt and will take note of the prospective improvement that you foresee. Just be careful not to be too ambitious…

The reason I say this is because of the previous audit report from the initial certification will serve as a timely reminder to the attending auditor of what they might find. The beauty of this situation for them is that they have this detailed list of findings (including weaknesses and future intentions) to work from/refresh their memory. This may mean that they could flag up any previous intention that for one reason or another wasn’t followed up.

My advice to anyone who is about to go through the same experience is to be abundantly clear of the previous findings in said report and tie up any loose ends that are referenced.

The One Constant is Change

You need to ensure that change has been captured in all the right documents. A lot can happen in 6-12 months. Your organisation could restructure, take on new business, loose contracts etc. The BCMS will need to ensure that is keeps abreast of these changes. I thought I’d achieved this through keeping records of management reviews meetings but unfortunately I didn’t devise a process for triggering a change in documents out with their annual cycle. So any significant change to the business wasn’t added to the appropriate document until their regular update deadline which could potentially be within 10-12 months’ time! I know people will think this is a simple mistake to make but when you’re dealing with a multi-site, international company with an abundance of related documents it’s much harder to oversee than one would hope! Cue all those arguments in support of BC Software!

Communicate Communicate Communicate

Do not underestimate how quickly your efforts to raise BC awareness will be lost in the business! The rate of change and emergence of new initiatives in some organisations is unprecedented. I found it surprising just how quickly managers and staff had forgotten what they were told a year ago.

In a last minute dash to ensure all key managers were up to speed for a surveillance visit I became increasingly aware of the lack of legacy from my previous awareness campaign. In no less than 12 months, the awareness of some staff had visibly degraded from a good understanding of the policy, ownership of plans, recent training events etc. to virtually nothing. In one example an individual simply responded by saying…

“Business Continuity? Is that not that thing where we leave this building and get a bus to somewhere else?”

It’s something worth noting that the absence of a continuous and effective communications strategy to all areas of the business (as required by the standard) will lead to a rapid deterioration of knowledge and awareness in BC.

A Change in Pace and Intensity

For those who have read my previous posts on Stages 1 and 2, you will notice that I tend to comment on the pace and intensity of the initial audits. One thing that stuck me during my first surveillance visit was that the Auditor was not be as thorough with the basics like before because they were covered no less than a year ago. For instance I felt that during an interview with a key manager the auditor appeared to be pitching his questions at a higher level. Actually after that interview the manager in question said to me that they felt like they got off lightly compared to last time! Overall I found the experience to run at a more natural pace with less intensity compared to the previous stages which I was very thankful for!

The Importance and Value of Scope

As part of your organisation’s journey to certification and subsequent maintenance you may have to undergo additional “extension to scope” audits which in themselves are mini-stage 1&2 events combined.

The scope of ISO 22301 certification is an extremely important area to be aware of. The available guidance from the standard itself makes it abundantly clear that a BCMS must specifically outline the scope of its coverage and also any exceptions. If, for instance you are exclusively covering the Finance Department of a business, you will need to explain why the other areas of operation are not included during stage 1 audit. If you intend to progress with extending the scope to other departments and sites you will need to make the auditor aware so that they can plan this in to their own work programme (I’m led to believe you have book about 6 months in advance).

The scale and complexity of an organisation might sometimes mean that the scope of certification may have to start in one area of the business and then extend out over time as part of a project. It would almost certainly require a significant pool or resource to roll out an entire certification for the whole business in one go. I’ve been in that position before and we have had to scale back our scope because we couldn’t bring the entire business up to speed quick enough.

I can remember a BC practitioner once suggest to me that up until recently, there were some businesses out there that would simply get certification for one of their smaller offices and then imply that “the business” was certified. While no organisations were listed as examples to me at the time I could definitely see how that could work as a quick win for them but that is of course ineffective and ultimately dishonest so I’m sure the reality is that it was either an isolated case or mere speculation.

Summary

These are just a few thoughts from one of my first experiences of what happens after the initial achievement of certification. The key lessons for me are simple:

- Clarify and document your scope
- Read and understand your audit reports before the Auditor actually arrives
- Ensure all changes are captured to reflect the current picture of the organisations
- Deliver a lasting programme of awareness to the business